By Thomas Claburn
October 9, 2007
Microsoft (MSFT) on Tuesday released six security bulletins, half of
which have an effect on Windows Vista.
"Three of the bulletins impact Vista," said Eric Schultze, chief
security architect, of St. Paul, Minn.-based Shavlik Technologies.
"That's not a really good track record for an operating system that
Microsoft thought was going to secure the world."
Pointing to Windows Vista patches this month and in previous months,
Schultze said, "I don't think Vista has had quite the impact that
Microsoft hoped it would in staving off the need to patch your OS."
Of the six security updates published Tuesday, four are rated "critical"
and two are rated "important." "This is a little larger this month than
average," said Schultze. "Obviously, the big news goes toward bulletin
057, which is for Internet Explorer. The Internet Explorer patch goes
toward addressing a lot of previously known public vulnerabilities. So
you'll want to patch the IE issue pretty quickly for all of your
Internet browsing machines."
"Today's Microsoft patches emphasize the need for proactive browser
protection and the risk of surfing the Web unprotected," said Dave
Marcus, security research and communications manager at McAfee Avert
Labs, in an e-mailed statement. "Many of the vulnerabilities addressed
by the fixes could be exploited if a Windows user simply clicks a
malicious Web link, a favorite attack method among cybercriminals. Users
need to be more careful than ever when surfing the Internet."
Though bulletin 058 is only rated "important" -- the "critical"
designation is typically reserved for flaws that allow remote code
execution -- Schultze nonetheless said the IE fix should be dealt with
"The other big one that I think it really critical to do is bulletin
058, which Microsoft calls the RPC denial of service," said Schultze,
who explained that it could be used to conduct denial of service
attacks. "This one will be really critical for network administrators
and corporations to protect all of their assets on their internal
network... from disgruntled employees."
Schultze said there is no exploit currently circulating for this bug but
he expects there will be one within a week.
The other critical bulletins address flaws in Kodak Image Viewer,
Outlook Express and Windows Mail, and Microsoft Word that could allow
remote code execution. Bulletin 059, rated "important," addresses a
vulnerability found that impacts Windows SharePoint Services 3.0 and
Office SharePoint Server 2007.
Microsoft had expected to release seven updates Tuesday, as stated last
Thursday through its Advance Notification Service (ANS).
Tami Gallupe, Microsoft Security Response Center release manager,
explained in a blog post, "As previously communicated, the ANS is always
subject to change. We decided to remove one of the updates from the
release schedule due to a quality control issue, so we can resolve that
issue prior to releasing the update to customers."
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com